Welcome back

Cyber risk in an Internet of Things world has been added to your bookmarks.

Cyber risk in an Internet of Things world has been removed from your bookmarks.

An article titled Cyber risk in an Internet of Things world already exists in the bookmark library

Perspectives

Cyber risk in an Internet of Things world

Flashpoint edition 4: More data, more opportunity, more risk

The IoT offers new ways for businesses to create value, however the constant connectivity and data sharing also creates new opportunities for information to be compromised. Explore some of the more notable developments in the battle to combat cyber risks.

Cyber risk in an IoT world

What makes the Internet of Things (IoT) different from the traditional Internet? People, for starters. The IoT doesn’t rely on human intervention to function. With the IoT, sensors collect, communicate, analyze, and act on information, offering new ways for technology, media and telecommunications businesses to create value—whether that’s creating entirely new businesses and revenue streams or delivering a more efficient experience for consumers.

But this also creates new opportunities for all that information to be compromised. Not only is more data being shared through the IoT, among many more participants, but more sensitive data is being shared. As a result, the risks are exponentially greater.

Take the smart home as an illustrative example. Imagine a garage door opener with the added functionality to deactivate the home alarm upon entry. This is a convenient feature for a homeowner entering their home in a hurry. However, now the entire alarm system could potentially be deactivated when only the garage door opener is compromised. The broad range of connectable home devices—TVs, home thermostats, door locks, home alarms, smart home hubs, garage door openers, to name a few—creates a myriad of connection points for hackers to gain entry into IoT ecosystems, access customer information, or even penetrate manufacturers’ back-end systems.

Many technology, media and telecom companies are already grappling with these cyber risk challenges. What are they finding? In this issue of Flashpoints, we’ll take a closer look at some of the more notable developments in the battle to combat cyber risks and take advantage of new opportunities as the IoT expands its reach:

The cyber risk landscape is inexhaustibly complex and ever changing. This figure provides a broad framework for identifying and managing a much wider range of risks arising from IoT implementations.

An integrated risk philosophy is not optional

In most large organizations, the approach to cyber risk may differ by region, product, or business unit. For many, that has worked well enough—parts of the company that require a heightened approach to cyber risk handle their threats in one way, while others take a different tack. But the IoT is forcing many technology, media and telecommunications business leaders to reassess this decentralized approach, since it tends to connect enterprises and their operations in unexpected ways. Safeguarding the IoT is complicated by the scale and scope of data being generated and collected, not to mention the fact that much of it is actually held or accessed by third parties. As a result, many leaders are implementing an umbrella-level cyber risk paradigm, raising standards for cyber risk at every level of the organization, enterprise-wide, from pre-threat to post-event. That means preventing and anticipating IoT-related cyber threats before they take hold, monitoring and neutralizing threats already in play, and restoring normal operations as soon as possible when an organization is struck by a threat.

The IoT is forcing many business leaders to reassess their decentralized approaches to cyber risk management.

Cyber risk management and innovation must be on equal footing

More information creates more possibilities to create value: This is the promise of the IoT. Today, entire business models are launched on the idea of tight collaboration between organizations – and data is often the glue holding them together, propelling companies to invest significantly in customer analytics capabilities to discover new value streams for their customer. These collaborations are taking advantage of an exceptionally broad portfolio of data types—not just device and system data, but everything from employee rosters and inventory records to non-traditional data types such as facial recognition data, facilities access data, industrial control system data, to name just a few. For many, this is uncharted territory, and along the way, data governance has failed to keep pace.

How do you exercise firm control over data governance in that environment? Tighten the controls too much, and you could squeeze the life out of much-needed innovation. Pursue an approach marked by loose oversight, and you could be exposed to outside cyber risks. Cyber risk and innovation are inextricably linked—one shouldn’t be subordinated to the other. Some of the most forward-looking executives in technology, media, and telecommunications are harmonizing these business imperatives by engaging with business leaders both within their organization, as well as outside, to establish a “baseline of normal”. By understanding what “normal” data activity looks like, possible abnormalities can be quickly and accurately flagged for further review.

More information creates more possibilities to create value: This is the promise of the IoT.

No global risk standards? No excuse.

IoT is an inherently shared ecosystem and operating model that crosses public and private sectors. Yet today, there are no uniform standards governing the IoT. If IoT partners operate strategically and cooperatively, immense value can be created for the consumer. However, in lieu of formal standards, this “shared responsibility” mindset to security and associated governance enforcement will not always work—security breaches have the potential to occur anywhere along the ecosystem, increasing the likelihood that this cooperative mindset may breakdown. Standards are almost certainly on the way, but most believe they’re years off. Meanwhile, the IoT continues to grow apace. Business and technology leaders have no choice but to begin developing and implementing their own global cyber risk standards, despite the lack of guidance.

While different industries have aligned in different consortiums, those in the technology, media and telecommunications industries are widely expected to lead the charge. Interoperability among ad hoc, point solutions is one issue where closer collaboration among all the players in the ecosystem is already beginning to happen. While much of the promise of the IoT lies in the ability to aggregate data, today data is generated in different formats, and sensors connect to different networks using different communication protocols. Without common standards governing the functioning of IoT-enabled devices, the barriers to interoperability are immense—but so is the potential business value derived from the IoT.

IoT is an inherently shared ecosystem and operating model that crosses public and private sectors. Yet today, there are no uniform standards governing the IoT.

Retrofitting can work – but it introduces new risks

Some technology, media, and telecommunications companies are looking to implement IoT solutions on top of existing systems, or are closely collaborating with their own customers and partners who are attempting to do the same. Many of these existing legacy systems, which were once standalone and unconnected, are now vulnerable targets for hacking. Does that mean retrofitting should be avoided? Not necessarily—and given the cost of implementing new technologies, some of which may be obsolete in the near future, retrofitting may look like the stronger option.

Along the path to retrofitting, some are encountering new challenges. For example, with so many more points of communication introduced by the IoT, the simple, shared-system accounts and passwords associated with older security programs don’t pass muster. In other cases, it’s clear that purpose-built devices or add-ons designed specifically for the IoT are preferable. Either way, being aware of the risks arising from retrofitting, and accurately assessing them, are crucial steps to effectively managing these risks.

Retrofitting can be a viable option given the cost of implementing new technologies, but organizations must first accurately assess the risks.

Loosely coupled systems can help now—in lieu of an overhaul

Even leaders working from a wish list of all the security features they would need to manage IoT-related cyber risks know that it’s unrealistic to expect to put them all to work in the near term. But they can begin putting the tenets of such a system to work today—starting with the deployment of loosely coupled systems, which can help ensure that the failure of a single device doesn’t lead to widespread failure. IoT solutions need to be implemented in such a way that they blend organization-specific operational capabilities with multilayered cyber risk management techniques.

Loosely coupled systems can help ensure that the failure of a single device doesn’t lead to widespread failure.

Let's talk

The Internet of Things has moved from big idea to reality faster than most expected, much less planned for. But regardless of whether you’ve planned for it, it could already be influencing your organization’s cyber risk profile – and probably warrants more attention today. When organizations optimize their processes for IoT, they can uncover tremendous opportunity for value creation and capture, allowing them to innovate faster, make better decisions and offer compelling products and services to their customers. If you want to know more about these developments or any of those not discussed here, we should talk. We have developed a cyber risk paradigm that focuses on becoming secure, vigilant, and resilient, which has direct relevance for technology, media and telecommunications companies.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ("DTTL"), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as "Deloitte Global") does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the "Deloitte" name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.